Home » Search results for 'sip uri' (Page 2)

Search Results for: sip uri

The Most Versatile VoIP Provider: FREE PORTING

Introducing OpenSIPS 3 for Incredible PBX and Debian 10


Today we’re pleased to introduce an updated OpenSIPS installer for Debian 10 featuring the latest release of OpenSIPS. Our previous tutorial with Debian 8 is now obsolete, an all-too-frequent occurrence in the open source world. Today’s open source SIP server lets you connect users to make and receive free as well as commercial calls worldwide. There’s excellent documentation making it easy to integrate into our existing Incredible PBX platform without hiring a consultant. It’s also straight-forward to secure without providing free phone service to every bad guy on the planet.

OpenSIPS is a multi-functional, multi-purpose signaling SIP server used by carriers, telecoms or ITSPs for solutions like Class4/5 Residential Platforms, Trunking / Wholesale, Enterprise / Virtual PBX Solutions, Session Border Controllers, Application Servers, Front-End Load Balancers, IMS Platforms, Call Centers, and many others. Source: opensips.org

We’ve often complained that the problem with many open source projects is that the developers get so focused on making money that they skimp on the documentation to encourage consulting work or participation in expensive conferences. We have found just the opposite with OpenSIPS. In fact, much of today’s implementation is based upon an excellent tutorial by the folks at PowerPBX. Down the road, if you find yourself in need of a consultant, their services would be a good place to start. What we’ve added to the PowerPBX design is security, support for clients behind NAT-based routers, and an integration scheme for Asterisk®, FreePBX®, and Incredible PBX® platforms so that you get the best of all worlds, a public facing SIP server with the UC feature set that most organizations expect. Last but not least, our turnkey GPLv2 installer will get you up and running in about 5 minutes.

Choosing an Appropriate Platform for OpenSIPS

Let’s begin by addressing the appropriate platform for an OpenSIPS server. The server needs to have a public IP address that is static, and the server should not be situated behind a NAT-based router. It only complicates things and is beyond the scope of what we plan to address. For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since older OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. Pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS.

Ten to twenty gigabytes of disk space should be more than ample for OpenSIPS. The amount of RAM in your server depends upon the volume of calls your server will be handling. If it’s a dozen simultaneous calls then 1GB of RAM will suffice. If it’s 100,000 calls, then take a look at this article for tips on sizing your server. For today’s implementation, you’ll need a Debian 10 platform so a low-cost KVM provider including Digital Ocean, Vultr, and OVH should be fine.1

Choosing OpenSIPS Components to Deploy

We’ve divided up today’s tutorial into bite-sized pieces so that you can pick and choose where to stop implementing and start using. You do not need to have an Asterisk server to make and receive calls with OpenSIPS. However, OpenSIPS lacks voicemail and AutoAttendant/IVR components so, if those are a requirement, then you either need a VoIP service provider that offers them, or deploy a $50 Incredible PBX for the Raspberry Pi to add the missing pieces.

What OpenSIPS offers is a free server platform for worldwide SIP communications so that you, your friends, and business associates can call or connect from anywhere using freely available SIP softphones or any of dozens of SIP telephone instruments. We’ll stick with softphones for today, but hardware-based SIP telephones are equally simple to deploy.

This is not a criticism because it is one of the best tutorials we’ve ever used but, if you want to see how complex a typical OpenSIPS server deployment is, take a look at the PowerPBX tutorial we used as a starting point with OpenSIPS. We’ve compressed most of those procedures into a turnkey installer that only requires you to enter a MySQL root password of passw0rd (with a zero) once you have your Debian 10/64 platform up and running.

Deploying a Debian 10 Server Platform

Start by choosing a cloud provider that offers the 64-bit Debian 10 minimal platform as a deployment option. Most do. As noted, we recommend a KVM platform with support for ipset making it easy to block entire countries overrun with bad guys. Choose offerings with at least 1GB RAM and a 10GB drive to get started. Configure your Debian 10 server with a fully-qualified domain name (FQDN). This is critically important with our security design because we will assign all OpenSIPS users/extensions to this FQDN and reserve your server’s IP address purely for connections from service providers and Asterisk servers. This makes it all but impossible for anyone to hack into your server since most script kiddies launch attacks on IP addresses, not FQDNs. Using an unusual FQDN adds an extra layer of security, but that’s your call. If you lack the ability to assign FQDN aliases to a domain which you own, you can obtain a free FQDN from numerous sources including ChangeIP and point it to the IP address of your OpenSIPS server.

Installing OpenSIPS on a Debian 10 Server

Now the fun begins. Log into your Debian 8 server as root and issue the following commands to prepare for the OpenSIPS install:

cd /root
wget http://incrediblepbx.com/opensips3.tar.gz
tar zxvf opensips3.tar.gz
rm -f opensips3.tar.gz

Make sure you have logged into your Debian 10 server as root using SSH or Putty from a desktop PC that you will use to manage OpenSIPS with a browser. The reason is because this IP address automatically will be whitelisted in the OpenSIPS firewall as part of the install process. Otherwise, you will need to manually log into SSH and whitelist the IP address of your desktop PC using /root/add-ip each time you wish to access the OpenSIPS Control Panel since TCP port 80 (HTTP) is not exposed to the public Internet as a security precaution.

To begin the install, issue this command: /root/install

As the install progresses, you’ll first be prompted to choose the GRUB install device. Press the spacebar on the first entry. Then press TAB and ENTER. When prompted for the SSH configuration, choose "keep local version" and then press TAB and ENTER. For the MariaDB setup, press ENTER when prompted for the current password. Type N when prompted whether to switch to unix_socket authorization. Then type Y to change the root password. Be sure to use passw0rd (with a zero) as your MySQL password, or the install will fail. This is NOT a security risk unless your Debian 10 root user account is compromised. And, in that case, it won’t matter anyway since the MySQL password could easily be changed. Type Y to remove anonymous users. Type Y to disallow remote root logins. Type Y to reload the MySQL privilege tables.

Next you’ll be prompted to set your timezone and TZ entries. For East Coast U.S., it’s 2,49,1,1 then America/New_York. Later you’ll be prompted twice for the MySQL root password. You must enter passw0rd (with a zero). When the OpenSIPS status screen displays, type Q to exit the display. There are a couple of steps where you will be prompted for input. Correct responses are indicated before the various prompts. Pay particular attention when you are prompted to change the SSH port from TCP 22 to a port number in the 1000-2020 range as a security precaution. We recommend using the year you were born because it will be easy for you to remember. When the install finishes and you log out of your server, the next SSH login will look like this where XXXX is the SSH port you chose and yyy.yyy.yyy.yyy is the OpenSIPS server address: ssh -p XXXX root@yyy.yyy.yyy.yyy


Although most of the configuration of your OpenSIPS server will be handled using a web browser and the OpenSIPS Control Panel GUI, we’ve included a few scripts in /root to assist with maintenance of your server platform. Here’s a brief summary of the script functions:

  • pbxstatus – Status of your OpenSIPS server (image sample above)
  • add-ip – Temporarily WhiteList IP address until next iptables-restart
  • ban-ip – Permanently Ban an IP address
  • unban-ip – Unban a previously banned IP address
  • log-purge – Zero out all of the major Linux log files
  • opensips-check – Assures OpenSIPS and RTPproxy are running (runs automatically)
  • Fail2Ban BlackListsiptables -nL | grep -A100000 "opensips ("
  • IPset BlackList (KVM/OVZ7 platforms only) – ipset list | sort

We secure your server in several ways: (1) by disguising the SSH port, (2) by locking down almost every port on your server with the IPtables firewall with the exception of the SIP ports, (3) by deploying Fail2Ban to scan your OpenSIPS log for errors and lock out attackers for an extended period of time, and (4) by deploying the IPset blacklist for KVM platforms. With this design, there is a symbiotic relationship between IPtables, Fail2Ban, and IPset. Therefore, it is critically important that you only restart these services using the iptables-restart command. NEVER issue other IPtables commands to restart or save your firewall settings.

Activating a SIP Server with OpenSIPS Control Panel

We don’t want to overload you on the first day with your new OpenSIPS 3 platform so we’ll walk you through the preliminary setup steps to create your SIP Domain. Then we’ll show you how to set up user accounts (also known as extensions). Finally we’ll walk you through setting up a trunk to make and receive calls from a commercial SIP provider. When we’re finished today, you’ll be able to make and receive calls using SIP URIs or DIDs which you have purchased from a provider. Then next week we’ll focus on integration of OpenSIPS with an Asterisk platform of your choice using Incredible PBX as an example. Once we’re finished, you’ll be able to handle user account registrations exclusively on your OpenSIPS server while leaving your Asterisk platform completely hidden from public exposure.

Logging into the OpenSIPS Control Panel

As deployed, the OpenSIPS Control Panel is accessible via web browser. As noted previously, HTTP Port 80 access is blocked by default unless the IP address of your desktop PC has been whitelisted either as part of the initial install or using the add-ip script in /root. Once your desktop PC’s IP address is whitelisted, point your browser to http://xxx.xxx.xxx.xxx/cp



The default Username is admin, and the default password is opensips. Once you’re logged in, immediately click on the Users icon in the upper-right corner of the dashboard. Then click the Edit Info pencil icon for user Admin and change your password. Click Save when done.

Creating Domains with OpenSIPS Control Panel

In the Left column of the Dashboard, you’ll see two tabs: Users and System. Click on the System tab to expose the available choices. Then choose the Domains option.



Domains are the essential building blocks in OpenSIPS. You can manage one or a hundred domains on a single OpenSIPS server, and each domain can have its own set of Users, Trunks/Gateways, and Dialplan rules. We’re actually going to create two domains, one for the IP Address of your OpenSIPS server and a second one for the FQDN of your OpenSIPS server. For added security, we will create all User accounts under the FQDN Domain. And we’ll reserve the IP Address Domain for DID Trunks/Gateways from registered, commercial SIP providers. This design allows attackers to attempt to register to accounts on your IP Address Domain until the cows come home, and they will never be successful because there are no existing SIP user accounts there. Keep it that way! With our OpenSIPS design, Fail2Ban will block attackers after a single failed registration attempt. And OpenSIPS itself will identify and block all SIP flood attacks using either Fail2Ban or IPset.

Now that you understand the design, let’s set up your domains. After choosing System -> Domains, enter the IP Address of your OpenSIPS server at the SIP Domain prompt. Then click Add New Domain followed by Reload on Server. Repeat the same steps to enter the fully-qualified domain name (FQDN) of your OpenSIPS server. When finished, you should see:


Creating Users with OpenSIPS Control Panel

We’ve already explained the security implications and reason for creating User accounts with your FQDN Domain only. Click on Users -> User Management -> Add New to get started. You can use Numbers (what we call Extensions in Asterisk) or Names. Our preference is to use Numbers for the User accounts and then to create Alias Names (as desired) for each User account. You can’t dial names from most SIP telephones. This also keeps the design similar to what many are used to in the Asterisk environment. A completed dialog would look something like the following. Use the Domain pull-down to choose your FQDN. Obviously, the passwords must be secure and must match. Then the Register button will be enabled to save. The actual Numbers used for Usernames are completely up to you.



Create at least a couple User accounts so that you can set up two SIP phones to call yourself and verify that everything is working. These User accounts become an integral part of the SIP URI to receive calls from any SIP phone in the world: 7701@opensips.yourdomain.com

Before you can actually answer an incoming call to your SIP URI, you’ll need to register the User account using either a softphone or SIP phone. We’ll do that next. But, first, let’s create an Alias to 7701 User so that folks can reach you by calling joe@opensips.yourdomain.com

Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the example below. Make sure that you select your FQDN Domain using the pull-downs for BOTH the Domain and Alias Domain fields. Then click Add to save.


Registering a Softphone to an OpenSIPS User Account

There are literally dozens of free SIP soft phones from which to choose. We covered some of our favorites for every platform in previous articles. For our purposes today, we recommend you choose one of the Linphone softphones which are available for the PC, Mac, Linux, Android, and iOS platforms. We also recommend signing up for a free Linphone.org SIP account which doesn’t cost you anything. For today, we will be configuring the softphone to register to your new OpenSIPS server.

Once you have downloaded and installed the Linphone client, go into the Preferences menu and make the following changes. Some depend upon your calling platform.

  • Audio Codecs: PCMU, G722, PCMA
  • Video Codecs: VP8, H264
  • Call Encryption: None
  • DTMF: RFC2833 only
  • Send InBand DTMF: OFF
  • Send SIP INFO DTMF: OFF
  • SIP UDP 5060: Enabled
  • SIP TCP 5060: Enabled
  • Allow IPv6: Disabled

Then set up a new SIP Proxy account: Username (7701), Password (as defined), Domain: your FQDN not IP address, Transport: UDP, Outbound Proxy: OFF, Stun Server: stun.linphone.org, ICE: ON, AVPF: OFF, Push Notification: ON, Country Code Prefix: 1 (if required by your commercial SIP provider), Register: YES, Account Enabled: YES. HINT: You can call Alias Names via SIP URI, but you can only register to a SIP account using its actual Username.

Avoiding Lockouts with NeoRouter VPN

By design, Fail2Ban is unforgiving when it comes to failed registrations. A single failed registration will get an IP address banned for a full week. The reason is because the new bad guy strategy is to hit your server once to determine whether anybody is home. Then the creep bombards you later with an endless stream of registration attempts. With our design, nobody will be home when they return. The bad news is a single failed registration attempt by you or your users will also trigger a ban. There are several workarounds. The easiest is to set up the NeoRouter client on each of your machines including your OpenSIPS server and use the 10.0.0.x private network for access. These IP addresses never get banned. Our previous tutorial will walk you through setting up a free NeoRouter server and installing the free NeoRouter clients on your machines. The client software already is installed and running on your OpenSIPS server. It only requires that you log in using nrclientcmd and register to your NeoRouter server to obtain a private IP address. The other option is to install OpenVPN. Our previous tutorial will walk you through that process. The advantage of OpenVPN is that it’s supported directly on many SIP telephone instruments. The 10.8.0.x addresses are already whitelisted by our OpenSIPS installer.

There are other options to unban an IP address which has accidentally been snagged. First, almost all of the cloud providers include a Console option in their web portals. Second, you can log into your server via SSH from any non-blacklisted IP address to remove the banned IP address. Once you’re logged in, simply run this command using the IP address you wish to unban: /root/unban-ip xxx.xxx.xxx.xxx

Choosing Commercial SIP Providers

Recall that you cannot register to a SIP alias on your OpenSIPS server. We’ll take advantage of this restriction in setting up incoming calls from commercial providers’ DIDs. To set up Trunks from commercial providers so that you can not only receive incoming calls but also make outbound calls over their PSTN network connections, you must use providers that support IP address authentication rather than a SIP registration. Many providers support this including our platinum sponsor, Skyetel, as well as providers such as VoIP.ms, Anveo Direct, V1VoIP, and many others. In our OpenSIPS design, you also can use DIDs from providers that support SIP URI forwarding such as CallCentric and LocalPhone; however, you are limited to receiving inbound calls only. VoIP communications really shines here because you don’t have to choose a single provider to meet all of your communications requirements.

Skyetel is by far the easiest provider to set up with OpenSIPS. See our earlier tutorial for a special offer that will get you half-price calling for up to $500. Effective 10/1/2023, $25/month minimum spend required. Once you’re registered on the Skyetel site, add a new EndPoint Group using the IP address of your OpenSIP server and designate UDP 5060 as the access port. Sign up for a DID and map it to the OpenSIPS Endpoint Group. Done. In the OpenSIPS Control Panel, navigate to System -> Dynamic Routing and click Add Gateway. Using the template below, create 5 Proxy gateways for the following Skyetel data centers:

  • skyetel-NW 52.41.52.34
  • skyetel-SW 52.8.201.128
  • skyetel-NE 52.60.138.31
  • skyetel-SE 50.17.48.216
  • skyetel-EU 35.156.192.164

Begin by whitelisting the IP addresses of your SIP providers in /etc/iptables/rules.v4 just below the existing 10.8.0.0/24 rule. The entries should look like this:

-I INPUT -s 52.41.52.34 -j ACCEPT

Once you’ve entered IP addresses for your providers, issue the command: iptables-restart

Next, we need to create what Asterisk users know as an Outbound Route. This tells OpenSIPS to send dialed numbers in 11-digit format to Skyetel for termination. We’ve already created the Dial Plan rule for calling out by dialing 1 plus a 10-digit number. So, while you’re still in the Dynamic Routing section of the OpenSIPS Control Panel, click on the Rules tab at the top of the template. Then click Add Rule. Begin by clicking Add ID button and choosing Group ID 0. In the Prefix field, type 1. Now click the Add GW button 3 times after choosing the Skyetel gateways in the following order from the GW pull-down list: skyetel-nw, skyetel-sw, and skyetel-se. Those are the three currently operational Skyetel gateways. When you’re finished, your template should look like the following. Then click the Add button to save the new rule. Click Reload Server to load the new rule into OpenSIPS. Then repeat this procedure leaving the Prefix field blank so that you can make 10-digit calls as well.

Finally, we need to create what Asterisk users know as an Inbound Route. This tells OpenSIPS where to send incoming calls from our Skyetel DID. OpenSIPS handles inbound routes by defining a User Alias for the Username to which you want to route the incoming DID calls. Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the following template and then click Add.

  • Username: 7701 (the extension to which to route the incoming calls)
  • Domain: opensips.xyz.com (the FQDN of your OpenSIPS server)
  • Alias Username: 18435551212 (the 11-digit Skyetel DID)
  • Alias Domain: 11.12.13.14 (the IP address of your OpenSIPS server)
  • Alias Type: dbaliases

Introducing the VoIP Blacklist

We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. The list gets populated every night while you sleep. Here are the steps to install the VoIP Blacklist with IPset:

apt update && apt install ipset iptables netfilter-persistent ipset-persistent iptables-persistent
cd /usr/local/sbin
wget http://incrediblepbx.com/voipbl-update
chmod +x voipbl-update
sed -i 's|fail2ban restart|fail2ban restart\n/usr/local/sbin/voipbl-update|' iptables-restart
iptables-restart
ipset list voipbl
ipset list voipbl | wc -l

Then create a cron job in /etc/crontab to run /usr/local/sbin/voipbl-update every day to update the VoIP blacklist.

1 4 * * * root /usr/local/sbin/voipbl-update > /dev/null 2>&1

Congratulations! You now have a functioning OpenSIPS 3 server that can process incoming calls from SIP URIs as well as DIDs. And you can make SIP URI and 11-digit PSTN calls using your SIP softphone that’s registered to your OpenSIPS server. See you next week. Enjoy!

Continue Reading: Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS

Originally published: Monday, October 4, 2021



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Nerd Vittles receives referral fees from some VoIP service providers to help cover the costs of our blog. We never recommend particular companies solely to generate commissions. We also test all services that we recommend. []

Is SIP Trunking Safe & Reliable in the DDoS World?



Since last Thursday when VoIP.ms suffered (and continues to suffer) one of the worst Distributed Denial of Service (DDOS) attacks in the VoIP era, we’ve been asked a thousand times whether any SIP trunking provider can provide a safe and reliable platform under circumstances similar to the VoIP.ms outage. We obviously cannot vouch for every trunking provider but, based upon our discussions with two of the major carriers that support Incredible PBX, we are confident that either of them could withstand a similar attack and your phones would still ring. Keep in mind that one of the hidden beauties of VoIP is the ability to configure your PBX to use multiple carriers for failover in making outbound calls, something we have always recommended. Unfortunately, inbound calls are tied to registration of each DID with one and only one carrier. Thus, if that carrier goes off line, incoming calls to DIDs registered with that carrier will fail.

To restate the obvious, no provider is going to publicly document their DDOS remediation methodology thereby providing attackers with a blueprint to their network design and remediation strategy. However, under non-disclosure agreements, we have spoken at length with the owners of our two major Incredible PBX providers: Skyetel and Clearly IP. Based upon our NDA discussions over the past few days, we are satisfied that the SIP trunking offerings of our two primary carriers are sufficiently robust to withstand a VoIP.ms-like DDOS attack. Having said that, we are optimistic that the VoIP.ms outage has placed a renewed spotlight on the seriousness of these DDOS attacks with the FBI and the U.S. Department of Homeland Security.

So what’s missing from the VoIP.ms design that has made their infrastructure so vulnerable? Lots. For openers, VoIP.ms apparently does not rely upon SIP proxies or firewalls using industry-standard network management procedures. In fact, until several days ago, VoIP.ms reportedly was hosting its own DNS servers exclusively. While that has been addressed by moving to Cloudflare, other design vulnerabilities have been more difficult to ameliorate. For example, SIP trunking with VoIP.ms by design requires registration to one of several dozen POPs on both your PBX and on their public-facing portal. An inability to access their public portal means an administrator cannot redirect traffic to another POP in case of an outage. And, if an individual POP is overwhelmed with a DDOS attack, that POP can no longer redirect its incoming calls to a failover location. And apparently it is the only server from which this redirection can be initiated. As the current five-day outage makes clear, reengineering this design would be a Herculean task. So an important lesson learned should be that FORWARDING DIDS TO ANOTHER NUMBER OR SIP ADDRESS SHOULD BE COMPLETELY INDEPENDENT OF YOUR PUBLIC-FACING ARCHITECTURE.

What can you do at this juncture to lessen your vulnerability to a future DDOS attack? First, don’t put all of your eggs in one carrier’s basket. This is especially true with your main phone numbers (DIDs). Second, if you are a major organization, move your most important DIDs to one of our preferred providers, Skyetel or ClearlyIP. And, if money is no object, consider an AT&T, Verizon, T-Mobile, or Google Voice trunk. With multi-path forwarding, simultaneous incoming calls can be redirected to other DIDs hosted with SIP trunking providers. These paths can easily be adjusted in the event of a DDOS attack. Many of these providers offer heavily discounted rates for forwarding calls to other SIP destinations which need not be publicly disclosed.

Latest VoIP.ms Update:


Originally published: Monday, September 20, 2021



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Linphone Rocks: Free SIP Calling to Anybody, Anywhere

We’re rounding out our softphone series today with the perfect complement to Clearly Anywhere for Asterisk® and FreePBX®. Let’s face it. SIP URI dialing from extensions is not Asterisk’s strong suit which is disappointing since SIP URI calling is free. If you’ve been following Incredible PBX® 2020 developments this year, you already know that we’ve pushed everyone to move their VoIP servers to the cloud. You not only get a more flexible PUBLIC platform that lets you go virtually anywhere while preserving home base connectivity for a few bucks a month. A public Asterisk server also lets anyone in the world call your PBX via a SIP URI, and the calls are free from any SIP phone. HINT: Linphone softphones are free!

Today we want to take a fresh look at one of our favorites, Linphone. We call it the perfect complement to Clearly Anywhere because it installs on almost every platform and provides SIP URI communications without any dependence upon a PBX at all. And, just like Clearly Anywhere, multiple devices can connect to the same Linphone account to make and receive calls. Linphone offers free SIP clients for Windows, Mac, Linux, iOS, Android, and many browsers. There’s even GPL source code if that’s your thing. Here are the download links:

To get started, sign up for a free Linphone account. Now simply download the app of your choice from the links above and run it. Then choose the Assistant option and plug in your username and password. Be sure to Allow Push Notifications so that your phone will ring whenever you get an incoming call. Now all you need is a cellular data plan or a wired or wireless network connection. Anyone can reach you at yourname@sip.linphone.org. When friends sign up, their calls also will be free. You can talk as often and as long as you like.

Should you ever lose or forget your password. here’s a link that will let you reset it.

The Linphone feature set is downright impressive. Here’s what you and your friends will be using at zero cost:

CONFIGURATION TIPS: Missing audio or one-way audio is a common problem on SIP calls especially if your phone is sitting behind a NAT-based router. For best results, configure your account in the Linphone app to use UDP for the Transport, Disable the Outbound Proxy, configure stun.linphone.org as the Stun Server, and enable ICE. In Network settings, turn off IPv6 and Media Encryption. In Audio Settings, enable Opus, G.722, PCMU, and PCMA only. In Video Settings, enable both VP8 and H.264. Then close the app and reopen it.

Once you have your Linphone credentials, another option in addition to using one of the SIP clients above is to acquire a stand-alone SIP telephone which can easily be connected to your Linphone SIP account. While there are literally hundreds of SIP telephones from which to choose, here’s a $40 offering from Grandstream that we like. It’s available from Amazon.1 Also consider Incredible PBX phones which take SIP communications to a whole new level.

Unlike other proprietary communications apps, the beauty of using Linphone with its native SIP URI support is you can call any SIP phone in the world for free whether the recipient uses Linphone or not. For example, to annoy your friends and spammers, you can transfer their calls to Lenny: 2233435945@sip2sip.info. And here are some other SIP URI calls you might want to try. Store any or all of them in your Linphone Phonebook.

Your Linphone Friend - friend-name@sip.linphone.org
Yahoo News Headlines - news@demo.nerdvittles.com
Yahoo News Headlines - 951@demo.nerdvittles.com
Weather by Zip Code  - weather@demo.nerdvittles.com
Weather by Zip Code  - 947@demo.nerdvittles.com
Directory Assistance - information@demo.nerdvittles.com
Directory Assistance - 411@demo.nerdvittles.com
Call Any TollFree #  - **1800XXXXXXX@tollfree.future-nine.com

There are now more than 2,000 VoIP networks worldwide that support SIP URI access. Any person or organization with an account on any of these networks can be reached at no cost via SIP URI or via several hundred PSTN numbers. Using a SIP URI dialing prefix, you can call any referenced network@sipbroker.com. For example, *656news@sipbroker.com would reach the Nerd Vittles News Headlines from Yahoo. Or, from a PSTN phone, choose a local access number from the SipBroker worldwide directory, e.g. 702-789-0530 and then dial *656951 at the prompt for Yahoo News from Nerd Vittles. Call enabled PBX extensions the same way.

If you want to associate a phone number with your Linphone SIP URI, you can do it in a couple of ways. First, using a smartphone, you can link your cell number to Linphone within the Linphone app itself. If you have a free DID from IPComms, you can point it to your Linphone SIP URI. If you have a $1/month CallCentric DID, it can also be pointed to your Linphone SIP URI.

There’s one more nice surprise. Linphone accounts work much like the old key telephones and Google Voice setup that we all knew and loved. What that means is you can register the same Linphone account on multiple phones in different places.

Calling Linphone Users from Incredible PBX

Since Linphone doesn’t technically assign phone numbers to users’ accounts, you still need a way for PBX extensions to contact Linphone users. The easiest way is to create a Custom Extension for every Linphone user account you need to reach. In the FreePBX GUI, navigate to Applications -> Extensions -> Add Extension -> Custom Extension. Assign an Extension Number and Name to the custom extension. Then click on the Advanced tab. In the Dial field, enter the SIP URI for the Linphone user, e.g. SIP/username@sip.linphone.org. Click Submit and then Reload the Dialplan.

Originally published: Monday, October 19, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. This phone requires a wired network connection. Some of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. []

BulkVS: A Bargain SIP Provider for Incredible PBX Platforms


At every opportunity I always tell new VoIP enthusiasts that one of the true advantages of switching to a VoIP platform is the fact that you don’t have to put all your eggs in one basket. Just this morning, I read a Facebook post from one of the elders in my family lamenting the fact that her MaBell landline had failed in the midst of this week’s snowstorm in North Carolina. Her local WiFi and cable TV still worked but not her landline or cellphone.

With that background, we are pleased to introduce BulkVS trunking as another option to add to your collection. Unlike Skyetel, ClearlyIP, Vitelity, and VoIP.ms, we receive no commissions from BulkVS so chalk this article up as a good example of biting off your nose to spite your face. There is a PayPal link to the right if you’re feeling grateful. 😉

Why does BulkVS matter? In the words of Alex Trebek, it’s The 3 P’s: Price, Price, and Price. An inbound US48 Tier0 phone number (DID) will set you back 6¢ a month with a 25¢ setup fee. And calls are billed at $.0003 per minute. Toll-free numbers in the U.S. and Canada are 14¢ a month with a per minute rate of $.0055. CNAM lookups are $.002. Outbound calls are $0.004/minute. E911 service is 49¢/month. Billing increment: 6 seconds. Those aren’t typos.

Getting Started with BulkVS

To get started, click the sign up link on the main BulkVS page. Then fund your account with $25 using PayPal. Or you can sign up for Net 15 billing and pay by check or credit card if you’re not in a rush to get started.

BulkVS offers two ways to set up your BulkVS trunking: IP-based authentication and SIP registration. If you don’t have a firewall which means you’re not using Incredible PBX, the first method is a little safer because nobody can spoof the IP address of your Asterisk® PBX. But it’s not for everyone. For example, if you’re behind a NAT-based firewall or if your server has a dynamic IP address, then IP-based authentication really isn’t an option. Similarly, if you don’t have control of the router that your PBX is sitting behind, then IP-based authentication won’t work since you have to forward both the SIP port (UDP 5060) and the RTP ports (10000-20000) to your PBX. The beauty of SIP registrations is they work from almost anywhere including double-NAT environments. So today, we’ll cover the SIP registration approach which will work for everyone.

There are three setup procedures: one using the BulkVS Control Panel, a second using the Linux CLI, and a third using the FreePBX® GUI included in Incredible PBX®.

BulkVS Setup with SIP Registration

Step 1: Go to Inbound -> DIDs – Purchase and buy one or more DIDs for your PBX.

Step 2: Go to Interconnection -> Host – Add and add your PBX’s public IP address. Leave the port as 5060 for both chan_sip and chan_pjsip setups.

Step 3: Go to Interconnection -> Trunk Group – Add and create a Trunk Group.

Step 4: Go to Interconnection -> Trunk Group – Manage and add the Primary IP Address for your new Trunk Group. Set Delivery Type to 11DIGITS.

Step 5: Go to Interconnection -> SIP Registration and write down the credentials for one of the SIP credentials you wish to use to register your new trunks.

Step 6: Go to Inbound -> DIDs – Manage and select each telephone number. Then set the Trunk Group to the SIPREG Trunk Group you chose in the previous step. Click Update button.

Step 7: Wait 15 minutes for the new IP and Trunk Group settings to propagate to SBC nodes.

Linux CLI Setup for BulkVS

First, log into your server as root and edit iptables-custom in /usr/local/sbin. Add the following just above the # End of Trusted Provider Section marker:

# BulkVS WhiteList
/usr/sbin/iptables -A INPUT -p udp -m udp -s 162.249.171.198 --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -m udp -s 76.8.29.198 --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -m udp -s 69.12.88.198 --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -m udp -s 192.9.236.42 --dport 5060:5069 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp -m udp -s 52.206.134.245 --dport 5060:5069 -j ACCEPT

For chan_sip trunk implementations, while logged into your server as root, edit sip_custom_post.conf in /etc/asterisk. Add the following:

[bulkvs1](bulkvs);
host=192.9.236.42

[bulkvs2](bulkvs);
host=162.249.171.198

[bulkvs3](bulkvs);
host=69.12.88.198

[bulkvs4](bulkvs);
host=76.8.29.198

[bulkvs5](bulkvs);
host=52.206.134.245

 
Finally, restart the IPtables firewall and reload Asterisk:

iptables-restart
fwconsole reload

FreePBX PJsip Setup with SIP Registration

The PJsip alternative is considerably easier. First, you don’t need sip_custom_post.conf entries at all. To begin, navigate to Connectivity -> Trunks and choose Add a PJsip trunk. Name the trunk BulkVS and then click on the pjsip Settings tab. Fill out the form as shown below substituting the BulkVS registration account name you chose above. Any of the three SIP registrations offered for your account under Interconnection -> SIP Registration in the BulkVS Dashboard will work as long as you use the matching password.


Next, click on the Advanced tab and enter the following in the Match (Permit) field.

162.249.171.198,76.8.29.198,69.12.88.198,192.9.236.42,52.206.134.245

In the Codecs tab, enable ULAW and ALAW. Then click Submit and reload your dialplan.

With PJsip registrations, you may also need to add the following lines to the end of extensions_custom.conf in /etc/asterisk using your actual DID. Then reload your dialplan: asterisk -rx "dialplan reload"

[from-sip-external]
; BulkVS
exten => 18005551212,3,Goto(from-trunk,${DID},1)

FreePBX chan_sip Setup with SIP Registration

If you prefer to set up your BulkVS trunk the old-fashioned way, navigate to Connectivity -> Trunks -> Add chan_sip trunk and enter:



In the Incoming tab, enter a Registration String in the following format where 19991234567 is one of your actual BulkVS DIDs. Then Save the settings and reload the dialplan.

yourBulkVSacctname:yourBulkVSpassword@sip.bulkvs.com/19991234567

Finally, navigate to Settings -> Asterisk SIP Settings and the chan_SIP tab, then set the Registration Minimum Expiry and Registration Default Expiry entries to 25. Then click Submit and reload the dialplan.

FreePBX Inbound & Outbound Route Configuration

Finally, we need to tell FreePBX how to route BulkVS calls into and out of your PBX. In the FreePBX GUI under Connectivty -> Inbound Routes, add a new route for BulkVS specifying the 11-digit DID you purchased from BulkVS. Choose a Destination for the incoming calls, save your settings, and reload the dialplan. Repeat this process for each of your BulkVS DIDs. HINT: The monthly cost of the DIDs is inexpensive enough to assign a DID to every extension on your PBX.

Next, navigate to Connectivity -> Outbound Routes and create a new Outbound Route for calls you wish to process using BulkVS termination services. Name the Outbound Route BulkVS and assign the bulkvs trunk as the first entry in the call sequence. In the Dial Patterns tab, you would want match patterns for 1NXXNXXXXXX and NXXNXXXXXX. For the latter entry, be sure to add a Prepend entry of 1. Then save your settings and reload the dialplan.

SMS Message Delivery from BulkVS Trunks

BulkVS also supports SMS messaging on most of their DIDs. To deliver SMS messages from BulkVS, you’ll need a public-facing web server (not Incredible PBX). Assuming you already have that in place, delivery of SMS messages from BulkVS DIDs to your email address or smartphone’s messaging app is straight-forward. Begin by enabling SMS messaging on your DID: Inbound -> DIDs Manage. Next, assign a web address to process the incoming messages on your web server, e.g. http://yourdomain.com/bulkvs-sms/index.php. Then create the index.php file using the sample code below after inserting your email address for delivery of the incoming messages:

<?php

// Syntax for delivery from bulkvs.com SMS Forwarding Service

  $deliverto = "yourname@yourdomain.org";
//  $deliverto = "18431234567@txt.att.net";
  $from = htmlspecialchars($_REQUEST['from']);
  $to = htmlspecialchars($_REQUEST['to']);
  $message = htmlspecialchars($_REQUEST['message']);
  $subject="SMS Message from $from to $to";
  $comment="SMS Message\\n\\nFROM: $from\\n\\nTO: $to\\n\\nMSG: $message\\n\\n";
  mail("$deliverto", "$subject", "$comment", "$from");
  echo "OK";
?>

 
To send an SMS message from one of your BulkVS DIDs, you’ll need your API credentials from the BulkVS web site. Simply insert them together with one of your 11-digit DIDs in the script below, and you can send SMS messages to your heart’s content.

from="18005551212"
apikey="aaabbbccc"
apisecret="dddeeefff"

if [ -z "$1" ]; then
echo 'Syntax: send-sms-bulkvs 18005551212 "Your SMS message"'
exit
fi
if [ -z "$2" ]; then
echo 'Syntax: send-sms-bulkvs 18005551212 "Your SMS message"'
exit
fi

to=$1
msg=$2

curl --header "Content-Type: application/json" --request POST --data \\
'{"apikey":"'"$apikey"'","apisecret":"'"$apisecret"'","from":"'"$from"'","to":"'"$to"'","message":"'"$msg"'"}' \\
https://portal.bulkvs.com/sendSMS

To send SMS messages from a Windows machine, see this post from @jerrm.

Originally published: Tuesday, May 12, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Introducing Incredible PBX LITE featuring Raspbian 10



As you may know, the Raspberry Pi Foundation introduced the $35 Raspberry Pi 4 last week. In addition to jaw-dropping hardware enhancements, the introduction also included the new Raspbian 10 (Buster) platform which was surprising since Debian 10 isn’t scheduled for official release until the end of this week. As with prior releases, Raspbian 10 brought with it some major headaches for the VoIP community not the least of which is FreePBX® cannot (yet) be installed. But sometimes there’s a silver lining accompanying bad news.

Several Debian 10 issues caused us to rethink what a VoIP platform for the Raspberry Pi actually should look like. After all, most Raspberry Pi hobbyists aren’t interested in mastering the intricacies of Asterisk® and FreePBX. They’re more concerned with a stable, fast VoIP communications platform that’s easy to deploy and will operate without hiccups in a home or small office environment. Thus was born Incredible PBX LITE, a new turnkey VoIP platform that requires zero configuration out of the box and supports five SIP telephones and up to four trunk providers for low-cost worldwide calling. Simply sign up with one of these VoIP service providers, acquire a telephone number (DID), enter the IP address of your PBX, and you can instantly make and receive calls using up to five SIP telephones or softphones.

UPDATE: If you’d prefer the full-featured Incredible PBX 16-15 for the Raspberry Pi, it’s now available here as well.

What’s Included? Despite its name, Incredible PBX LITE still serves up a VoIP powerhouse featuring Asterisk 13, an Apache web server, the latest MariaDB SQL server (formerly MySQL), SendMail, and most of the Incredible PBX feature set including SIP, SMS, Opus, voice recognition, FLITE Text-to-Speech VoIP applications plus fax support, Click-to-Dial, News, Weather, Reminders, and hundreds of features that typically are found in commercial PBXs: Conferencing, IVRs and AutoAttendants, Email Delivery of Voicemail, Voicemail Blasting…

What’s Missing? We’ve removed the entire FreePBX GUI platform while retaining most of its feature set. We’ve also eliminated the need to run a web server or database server although they’re still there. And gone are the days of having to configure extensions and trunks as well as inbound and outbound routes before you can actually use your PBX to make your first call. The tradeoff is a noticeable performance improvement. While a Raspberry Pi 4 isn’t required to run Incredible PBX LITE, doing so provides another three-fold performance boost compared to a Raspberry Pi 3B+. Simply stated, Incredible PBX LITE performance now rivals what you would expect on a powerful cloud-based platform such as Digital Ocean or Vultr.

Choosing a SIP Provider. As we mentioned, Incredible PBX LITE comes preconfigured to support four of the major SIP providers: Skyetel, VoIP.ms, V1VoIP, and Anveo Direct. We obviously hope you’ll choose Skyetel not only because they financially support Nerd Vittles and our open source projects, but also because it is a clearly superior platform offering crystal-clear communications and triple-redundancy so you never miss a call. Skyetel also sets itself apart from the other providers in the support department. They actually respond to issues, and there’s never a charge. As the old saying goes, they may not be the cheapest, but you get what you pay for. Even without taking advantage of Nerd Vittles half-price offer on up to $500 of Skyetel services, they’re still dirt cheap compared to the Bell Sisters and cable companies. Traditional DIDs are $1 per month. Outbound conversational calls are $0.012 per minute. Incoming conversational calls are a penny a minute, and CallerID lookups are $0.004. With all four providers, you only pay for minutes you use. Using more than one is a good idea. Effective 10/1/2023, $25/month minimum spend required.


Assembling the Required Raspberry Pi Components

Before you can deploy Incredible PBX LITE, you’ll first need the necessary Raspberry Pi hardware. Here’s the short list and, if you’re in a hurry, the $35 Raspberry Pi 3B+ will cost you less than $3 extra to get it quickly from Amazon using our referral link. If you prefer to wait for a Raspberry Pi 4, read on. Either way, the RasPi remains one of the world’s best bargains! Assuming you already own an HDMI-compatible monitor and a USB keyboard

  • Raspberry Pi 4B from a Raspberry Pi reseller
  • $8 15.3W USB-C RasPi 4 (only) Power Supply
  • $8 32GB microSDHC Class 10 card (strongly recommended!)
  • $5 Official RasPi 4 Case
  • Getting Started with Incredible PBX LITE

    Here’s everything to know about installation and setup. "Automatic" means just watch. Steps #1 and #2 are self-explanatory. For the remaining steps, we’ll further document the procedures in the sections below.

    1. Download and unzip Incredible PBX LITE image from SourceForge
    2. Transfer Incredible PBX LITE image to microSD card
    3. Boot Raspberry Pi from new microSD card (16GB minimum)
    4. Login to RasPi console as root:password to initialize your server (Automatic)
    5. In raspi-config Advanced Options, Expand FileSystem to fill your SD card
    6. In Localization Options, set Locale, TimeZone, Keyboard, & WiFi Country
    7. Reboot after writing down your server IP address (Automatic)
    8. Login via SSH or Putty as root:password to set passwords & setup firewall (Automatic)
    9. Register for and configure at least one trunk provider for Incredible PBX LITE
    10. Install Incredible Fax: /root/incrediblefax13_raspi3.sh (Credentials: admin:password)

    First Boot of Incredible PBX LITE with Wi-Fi

    Incredible PBX LITE requires Internet connectivity to complete its automated install. If you’re using a wired network connection, you can skip to the next section. With the Raspberry Pi 3B and 4B, WiFi is built into the hardware. But you still have to insert your SSID name and SSID password to make a connection to your WiFi network. To do so, follow these next steps carefully. Insert the Incredible PBX LITE microSD card into your Raspberry Pi 3 or 4 and apply power to the hardware. When the bootup procedure finishes, login as root with the default password: password. At the first prompt, DO NOT PRESS THE ENTER KEY! Instead, press Ctrl-C to break out of the setup script. At the command prompt, issue the following commands to bring up the WiFi config file:

    cd /etc/wpa_supplicant
    nano -w wpa_supplicant.conf
    

    If your WiFi network does not require a password, then uncomment the four lines below and save the file: Ctrl-X, Y, then Enter. Now restart your server: reboot. When the reboot finishes, you now should have network connectivity.

    network={
     key_mgmt=NONE
     priority=1
    }
    

    If your WiFi network requires a password, scroll down to the SSID entry and replace YourSSID with the actual SSID of your WiFi network. Make sure you preserve the entry with the quotes as shown. Next, replace YourSSIDpassword with the SSID password of your WiFi network. Save the file: Ctrl-X, Y, then Enter. Now restart your server: reboot. When the reboot finishes, you now should have network connectivity.

    Once the reboot process finishes, you should see an entry on about the middle line displayed on your monitor which reads: "My IP address is…". Write down the IP address shown. You’ll need it in a minute. Skip the next section since you are using a WiFi connection.

    If you don’t see an IP address assigned to your server, then correct the network deficiency (invalid WiFi credentials, DHCP not working, Internet down), and reboot until you see an IP address assigned to your server. DO NOT PROCEED WITHOUT AN ASSIGNED IP ADDRESS.

    First Boot of Incredible PBX Using Wired Connection

    Incredible PBX LITE requires Internet connectivity to complete its automated install. After connecting your server to your local network with a network cable, insert the Incredible PBX LITE microSD card into your Raspberry Pi and apply power to the hardware. When the bootup procedure finishes, you should see an entry on about the middle line displayed on your monitor which reads: "My IP address is…". Write down the IP address shown. You’ll need it in the next step.

    If you don’t see an IP address assigned to your server, then correct the network deficiency (cable not connected, DHCP not working, Internet down), and reboot until you see an IP address assigned to your server. DO NOT PROCEED WITHOUT AN ASSIGNED IP ADDRESS.

    Completing the Incredible PBX Initialization Procedure

    Unless your desktop PC and RasPi are both on the same private LAN, the remainder of the install procedure should be completed from a desktop PC using SSH or Putty. This will assure that your desktop PC is also whitelisted in the Incredible PBX firewall. Using the console to complete the install is NOT recommended as your desktop PC will not be whitelisted in the firewall. This may result in your not being able to log in to your server. Once you have network connectivity, log in to your server as root from a desktop PC using the default password: password. Accept the license agreement by pressing ENTER. You then will be redirected to raspi-config. This is the utility used to expand your Incredible PBX LITE image to use your entire microSD card. If you fail to complete this step, your microSD card will be restricted to 16GB. In the raspi-config utility, choose Localization Options and set Locale, TimeZone, Keyboard, & WiFi Country. Then choose Advanced Options. All of the defaults should be satisfactory with the exception of the first item: Expand Filesystem. Choose this option and activate the resizing directive. Review the other items and then exit and reboot.

    Once your server reboots and you log back in as root, all of your passwords will be randomly assigned with the exception of the root user Linux password. You can set it by issuing the command: passwd. With the exception of your root user password, the remaining passwords can be displayed using the command: /root/show-passwords.

    Finally, if your PBX is sitting behind a NAT-based router, you’ll need to redirect incoming UDP 5060 and UDP 10000-20000 traffic to the private IP address of your PBX. This is required for all of the SIP providers included in the Incredible PBX LITE build. Otherwise, all inbound calls will fail.

    SECURITY ALERT: There was a configuration error in the initial setup which leaves the firewall deactivated. This gets corrected by the Incredible PBX Automatic Update Utility the next time you login to your server as root. Please do so immediately.

    Configuring Skyetel for Incredible PBX LITE

    If you’ve decided to go with Skyetel, here’s the drill. Sign up for Skyetel service and take advantage of the Nerd Vittles BOGO special. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the BOGO credit for your account by referencing the Nerd Vittles special offer. Skyetel will match your deposit of up to $250 which gets you up to $500 of helf-price calling. Credit is limited to one per person/company/address/location.

    Skyetel does not use SIP registrations to make connections to your PBX. Instead, Skyetel utilizes Endpoint Groups to identify which servers can communicate with the Skyetel service. An Endpoint Group consists of a Name, an IP address, a UDP or TCP port for the connection, and a numerical Priority for the group. For incoming calls destined to your PBX, DIDs are associated with an Endpoint Group to route the calls to your PBX. For outgoing calls from your PBX, a matching Endpoint Group is required to authorize outbound calls through the Skyetel network. Thus, the first step in configuring the Skyetel side for use with your PBX is to set up an Endpoint Group. Here’s a typical setup for Incredible PBX LITE:

    • Name: MyPBX
    • Priority: 1
    • IP Address: PBX-Public-IP-Address
    • Port: 5060
    • Protocol: UDP
    • Description: lite1.incrediblepbx.com

    To receive incoming PSTN calls, you’ll need at least one DID. On the Skyetel site, you acquire DIDs under the Phone Numbers tab. You have the option of Porting in Existing Numbers (free for the first 60 days after you sign up for service) or purchasing new ones under the Buy Phone Numbers menu option.

    Once you have acquired one or more DIDs, navigate to the Local Numbers or Toll Free Numbers tab and specify the desired SIP Format and Endpoint Group for each DID. Add SMS/MMS and E911 support, if desired. Call Forwarding and Failover are also supported. That completes the VoIP setup on the Skyetel side. System Status is always available here.

    Configuring VoIP.ms for Incredible PBX LITE

    To sign up for VoIP.ms service, may we suggest you use our signup link so that Nerd Vittles gets a referral credit for your signup. Once your account is set up, you’ll need to set up a SIP SubAccount and, for Authentication Type, choose Static IP Authentication and enter your Incredible PBX LITE server’s public IP address. For Transport, choose UDP. For Device Type, choose Asterisk, IP PBX, Gateway or VoIP Switch. Order a DID in their web panel, and then point the DID to the SubAccount you just created. Be sure to specify atlanta1.voip.ms as the POP from which to receive incoming calls.

    Configuring V1VoIP for Incredible PBX LITE

    To sign up for V1VoIP service, sign up on their web site. Then login to your account and order a DID under the DIDs tab. Once the DID has been assigned, choose View DIDs and click on the Forwarding button beside your DID. For Option #1, choose Forward to IP Address/PBX. For the Fowarding Address, enter the public IP address of your server. For the T/O (timeout) value, set it to 2o seconds. Then click the Update button. Under the Termination tab, create a new Endpoint with the public IP address of your server so that you can place outbound calls through V1VoIP.

    Configuring Anveo Direct for Incredible PBX LITE

    To sign up for Anveo Direct service, sign up on their web site and then login. After adding funds to your account, purchase a DID under Inbound Service -> Order DID. Next, choose Configure Destination SIP Trunk. Give the Trunk a name. For the Primary SIP URI, enter $[E164]$@server-IP-address. For Call Options, select your new DID from the list. You also must whitelist your public IP address under Outbound Service -> Configure. Create a new Call Termination Trunk and name it to match your server. For Dialing Prefix, choose six alphanumeric characters beginning with a zero. In Authorized IP Addresses, enter the public IP address of your server. Set an appropriate rate cap. We like $0.01 per minute to be safe. Set a concurrent calls limit. We like 2. For the Call Routing Method, choose Least Cost unless you’re feeling extravagant. For Routes/Carriers, choose Standard Routes. Write down your Dialing Prefix and then click the Save button.

    Before you can make outbound calls through Anveo Direct from your PBX, you first must configure the Dialing Prefix that you wrote down in the previous step. Login to your server as root and use nano to edit extensions_additional.conf in the /etc/asterisk directory. Search (Ctl-W) for anveo-pin and replace anveo-pin with the 6-digit alphanumeric PIN for your account. Press Ctrl-X, Y, then Enter to save your settings. Reload your dialplan with the command: asterisk -rx "dialplan reload"

    Audio Issues with Incredible PBX LITE

    Only if you experience one-way or no audio on some calls, add your external IP address and LAN subnet in /etc/asterisk/sip_general_custom.conf like the following example:

    nat=yes
    externip=xxx.xxx.xxx.xxx
    localnet=192.168.0.0/255.255.0.0 
    

    Then restart Asterisk: systemctl restart asterisk

    Configuring a Softphone for Incredible PBX LITE

    We’re in the home stretch now. You can connect virtually any kind of telephone to your new PBX. Plain Old Phones require an analog telephone adapter (ATA) which can be a separate board in your computer from a company such as Digium. Or it can be a standalone SIP device such as ObiHai’s OBi100 or OBi110 (if you have a phone line from Ma Bell to hook up as well). SIP phones can be connected directly so long as they have an IP address. These could be hardware devices or software devices such as the YateClient softphone. We’ll start with a free one today so you can begin making calls. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum when you’re ready to get serious about VoIP telephony.

    We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for the 701 extension on Incredible PBX. You can find them by running /root/show-passwords. You’ll need the IP address of your server plus your extension 701 password. In the YateClient, fill in the blanks using the IP address of your Server, 701 for your Username, and whatever Password was assigned to the extension when you installed Incredible PBX. Click OK to save your entries.

    Once you are registered to extension 701, close the Account window. Then click on YATE’s Telephony Tab and place some test calls to the numerous apps that are preconfigured on Incredible PBX. Dial a few of these to get started:

    DEMO - Apps Demo
    123 - Reminders
    947 - Weather by ZIP Code
    951 - Yahoo News
    TODAY - Today in History
    LENNY - The Telemarketer's Worst Nightmare
    

    If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

    Incredible PBX LITE Administration

    We’ve eased the pain of administering your new PBX with a collection of scripts which you will find in the /root folder after logging in with SSH or Putty. Here’s a quick summary of what each of the scripts does.

    add-fqdn is used to whitelist a fully-qualified domain name in the firewall. Because Incredible PBX LITE blocks all traffic from IP addresses that are not whitelisted, this is what you use to authorize an external user for your PBX. The advantage of an FQDN is that you can use a dynamic DNS service to automatically update the IP address associated with an FQDN so that you never lose connectivity.

    add-ip is used to whitelist a public IP address in the firewall. See the add-fqdn explanation as to why this matters.

    del-acct is used to remove an IP address or FQDN from the firewall’s whitelist.

    proximity is a script used in conjunction with bluetooth to decipher whether your smartphone is within range of your server. If not, the script forwards calls to extension 701 to an extension or external smartphone of your choice. Edit the proximity script to add your preferences. Then uncomment the proximity line in /etc/crontab. Complete setup details on setup are available in our previous tutorial.

    reset-conference-pins is a script that automatically and randomly resets the user and admin pins for access to the preconfigured conferencing application. Dial C-O-N-F from any registered SIP phone to connect to the conference.

    reset-extension-passwords is a script that automatically and randomly resets ALL of the SIP passwords for extensions 701-705. Be careful using this one, or you may disable existing registered phones and cause Fail2Ban to blacklist the IP addresses of those users. HINT: You can place a call to the Ring Group associated with all five extensions by dialing 777.

    reset-reminders-pin is a script that automatically and randomly resets the pin required to access the Telephone Reminders application by dialing 123. It’s important to protect this application because a nefarious user could set up a reminder to call a number anywhere in the world assuming your SIP provider’s account was configured to allow such calls.

    show-feature-codes is a cheat sheet for all of the feature codes which can be dialed from any registered SIP phone. It documents how powerful a platform Incredible PBX LITE actually is.

    show-passwords is a script that displays ALL of the passwords associated with Incredible PBX LITE. This includes SIP extension passwords, voicemail pins, conference pins, telephone reminders pin, and your Anveo Direct outbound calling pin (if configured). Note that voicemail pins are configured by the user of a SIP extension the first time the user accesses the voicemail system by dialing *97.

    update-IncrediblePBX is the Automatic Update Utility which checks for server updates from incrediblepbx.com every time you log into your server as root using SSH or Putty. Do NOT disable it as it is used to load important fixes and security updates when necessary. We recommend logging into your server at least once a week.

    pbxstatus (shown above) displays status of all major components of Incredible PBX LITE.

    Call Detail Records available in spreadsheet format at /var/log/asterisk/cdr-csv/Master.csv.

    Originally published: Monday, July 1, 2019



    Need help with Asterisk? Visit the VoIP-info Forum.


     

    Special Thanks to Our Generous Sponsors


    FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

    BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

    The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

    VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
     

    Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
     



    Lessons Learned: Circling Back for a Second Look at OpenSIPS



    Whenever we tackle a new VoIP platform especially for deployment on the open Internet, we think it’s prudent to circle back after a few weeks to review lessons learned and tie up all the loose ends. Today we’ll introduce a number of new KVM cloud providers around the globe at rock-bottom prices plus some new additions to enhance our OpenSIPS firewall design. If you’re just getting started with OpenSIPS, check out the new KVM offerings below and then hop over to our original article which now incorporates all of today’s enhancements. For those that already have deployed OpenSIPS using our previous tutorial, continue reading, and we’ll show you how to deploy the latest and greatest additions.

    While we were in the midst of deploying OpenSIPS, Netflix also disclosed four TCP networking kernel vulnerabilities which are especially important to those of us using hosted cloud platforms. Depending upon your provider, these may or may not be patched promptly.

    We were reminded this month that reinventing the wheel isn’t always the best solution when it comes to VoIP security. While we’re not throwing in the towel on our BadGuys list, we do want to show you how to supplement it with the VoIP Blacklist from voipbl.org. It adds over 80,000 crowd-sourced IP addresses from around the world. The other lesson learned was that blacklists invariably include some IP addresses of good guys that you actually depend upon. These typically are added to the blacklist by, you guessed it, the bad guys.

    With IPtables, the first matching rule always wins so it’s important in structuring firewall rules to insert whitelisted IP addresses BEFORE the blacklist entries so you don’t inadvertently block yourself or some other resource that you actually need. This whitelist should include the IP addresses of your server and workstations as well as the IP addresses of VoIP providers upon whom you rely for communications services. With our OpenSIPS design, the firewall order of preference looks like this: (1) whitelisted IP addresses get full access, (2) blacklisted IP addresses are blocked and get no access, (3) everybody else gets SIP access.

    Rather than attempting to patch the Linux kernel on all of the platforms that are being deployed, we think the prudent first step is to narrow the TCP footprint of all public-facing servers. As part of the original OpenSIPS deployment, we already had hidden web access behind the firewall except for specifically enumerated IP addresses. The second most likely TCP vulnerability would be the TCP SIP ports. While we prefer to use UDP ports for SIP access, some prefer TCP. Until the “SACK Panic” vulnerability is patched, we would strongly recommend at least temporarily discontinuing use of TCP as your SIP transport. After all, OpenSIPS is a SIP server, and the TCP SIP port would be the most likely target for mischief.

    Turning back to blacklists for a moment, we’ve put together a few simple bash scripts which make it easy to deploy and update your VoIP blacklists. We’ve also developed a script that lets you move IP addresses flagged by Fail2Ban into the ipset SIPFLOOD blacklist while easing the pain of uploading your own blacklisted IP addresses to the voipbl.org site for inclusion in their list. In this way, they will be added in the next day’s blacklist collection for everyone to use. To give you a point of reference, on our half dozen, publicly-exposed honey pot servers, today’s additions to the OpenSIPS firewall have reduced attacks to less than one a day.

    Choosing a KVM Platform for OpenSIPS

    For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. While we previously have identified OpenVZ providers for our Incredible PBX platforms protected by the Travelin’ Man 3 firewall, pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS. So we went on the hunt to identify KVM cloud providers around the world that could offer a KVM VPS with 1GB RAM, 20GB storage, and 1TB of monthly bandwidth for about $25 a year. No small feat! But our friends at LowEndTalk have come through. Read the message thread and find an offer with a site that best meets your requirements. Many of the KVM offers require you to open a ticket to get the special pricing and configuration outlined above. Here’s a short list of our favorites, but remember to only use the KVM offerings below for OpenSIPS!

    ProviderRAMDiskBandwidthPerformance as of 12/1/19Cost
    CrownCloud KVM (LA)1GB20GB +
    Snapshot
    1TB/month598Mb/DN 281Mb/UP
    2CPU Core
    $25/year
    Best Buy!
    Naranjatech KVM (The Netherlands)1GB20GB1TB/monthHosting since 2005
    VAT: EU res.
    20€/year w/code:
    SBF2019
    BudgetNode KVM (LA)1GB40GB RAID101TB/monthAlso available in U.K PM @Ishaq on LET before payment$24/year
    FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)1GB20GB SSD3TB/monthPick EGG loc'n
    Open ticket for last 5GB SSD
    $30/year w/code:
    LEBEGG30

    Introducing the VoIP Blacklist

    We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. We’ve made this easy in two ways. First, the list gets populated every night while you sleep. At last count, there were 84,504 IP addresses. And, second, to contribute to the blacklist, run iptables -nL weekly to see if Fail2Ban has snagged any bad guys. If so, simply run the new /root/blacklist utility which will move them into your local blacklist and also format the entries for easy submission to voip.bl whenever you feel the urge. Simply issue the command cat /root/blcklist.txt to display the entries you just blacklisted. Then cut-and-paste the results and post them to the VoIP Blacklist. The whole process takes less than a minute, and you’ll be contributing to a very valuable VoIP resource while also using it.

    Upgrading Existing OpenSIPS KVM/OVZ7 Platforms

    If you already have installed OpenSIPS using the previous Nerd Vittles tutorial on a KVM or OVZ7 platform, then the rest of today’s article is for you. If you’re just getting started, hop over to our original article which now incorporates all of today’s enhancements including the VoIP Blacklist.

    We’ve made today’s upgrade easy. Just download the OpenSIPS upgrade tarball, untar it, and run the included installer. In less than a minute, you’ll have all the new pieces without disturbing your existing configuration.

    To get started, log into your KVM or OVZ7 server as root using SSH or Putty and issue these commands:

    cd /
    wget http://incrediblepbx.com/opensips-upgrade1.tar.gz
    tar zxvf opensips-upgrade1.tar.gz
    rm -f opensips-upgrade1.tar.gz
    /root/opensips-upgrade1
    

    Originally published: Monday, June 24, 2019



    Need help with Asterisk? Visit the VoIP-info Forum.


     

    Special Thanks to Our Generous Sponsors


    FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

    BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

    The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

    VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
     

    Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
     



    Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS




    Last week we introduced OpenSIPS, the multi-functional, multi-purpose signaling SIP server which can fulfill almost any communications function one can dream up except the unified communications tasks typically performed with a PBX such as Asterisk®. Today we want to marry the two platforms to give you the best of both worlds. For Incredible PBX® users, the primary advantage of adding an OpenSIPS front end is the elimination of the complexities associated with interacting with your PBX from remote sites with ever changing, dynamic IP addresses coupled with NAT firewalls over which you have no control. While there are many approaches to interconnecting the two platforms, we’re not comfortable with the exposure that a simple registration passthrough design introduces for many Asterisk users. Instead we prefer a model that lets everybody contact you and your users without providing the world the access necessary to allow anonymous strangers a platform from which to launch endless attempts to compromise your Asterisk server and individual Asterisk accounts.

    Not all users on an Asterisk PBX need anonymous lurkers to have worldwide, public access to their individual phones. For most, DIDs suffice for public access. For users that do need such access, we will begin by creating a SIP account on your OpenSIPS server that is separate and apart from your Asterisk user account or extension. Also keep in mind that anonymous SIP calls require a match on the SIP URI to reach the person or function desired. You can enable and disable these SIP URI-accessible functions on your OpenSIPS server as desired. And you can determine how obscure to make each of the SIP URIs. Security through obscurity works and deters many SIP attacks. Now let’s address what you can and cannot do with this setup.

    Using a SIP phone from anywhere in the world, any SIP user CAN:

    • Make SIP URI calls to authorized extensions and ring groups on your Asterisk PBX
    • Make SIP URI calls to authorized clients registered to a 3CX PBX with a SIP UUID
    • With a legitimate password, make DISA-like calls with Asterisk trunks, if enabled
    • With an invalid DISA password, converse with Lenny
    • With a legitimate password, check and manage authorized Asterisk voicemail accounts
    • With a legitimate password, participate in authorized Asterisk conferences
    • Access other authorized Asterisk applications available from Asterisk extensions

    Using a SIP phone from anywhere in the world, an OpenSIPS-registered User also CAN:

    • Make PSTN calls from OpenSIPS-registered SIP phones, if enabled
    • Receive calls from Asterisk forwarded to any OpenSIPS-registered SIP phone
    • Receive calls from Asterisk forwarded to any 3CX-registered client or SIP phone

    Using any SIP phone registered to a SIP proxy, you CANNOT:

    • Log into any Asterisk user account without whitelist permission and credentials
    • Make 911 calls

    Prerequisites: To complete today’s setup, we’re assuming you have (1) an Incredible PBX server running Asterisk 13, (2) an OpenSIPS server built with version 1.2.0 or later of the Incredible PBX for OpenSIPS installer, and (3) either a registered SIP account and SIP URI on your OpenSIPS PBX or a SIP account with a provider such as a free linphone.org account.

    Running pbxstatus on your OpenSIPS server will tell you which version you have. If you don’t have pbxstatus or the version is below 1.2.0, please initialize your Debian 8 platform, download the latest release, and reinstall following the our OpenSIPS tutorial here. There were major changes in the OpenSIPS configuration to support Asterisk connectivity which made an in place upgrade too complex. Our apologies.

    Before creating user accounts on your OpenSIPS server, give some thought to a numbering scheme that won’t conflict with extension registrations on your Asterisk server. For example, if your Asterisk server uses extensions 701 through 750, then you may wish to consider using 7701 through 7750 on your OpenSIPS server. The one-to-one match keeps things simple without running into conflicts between the Asterisk extension numbers and the OpenSIPS user accounts. We’ll use the 700 (Asterisk) and 7700 (OpenSIPS) extension ranges in our examples which follow. And we’ve reworked the original OpenSIPS tutorial in keeping with this design to simplify Asterisk integration for new readers just joining the party.

    We want to express our sincere appreciation to Bill Simon for his patient tutelage in walking us through some of the potential landmines in marrying an OpenSIPS server with Asterisk. Should your organization ever need professional help with a SIP deployment, there is no finer SIP authority than Simon Telephonics.


    1. Configuring Asterisk for Inbound OpenSIPS Calls

    Assuming you have an Incredible PBX 13 platform, open the GUI as admin using a browser from your desktop. First, let’s create a Trunk for the OpenSIPS server. Choose Connectivity -> Trunks -> Add SIP (chan_sip) Trunk. For Trunk Name, use opensips. Next, click on the SIP Settings tab in the dialog. For Trunk Name, again use opensips. In PEER DETAILS, enter the following and replace xxx.xxx.xxx.xxx twice with the actual IP address of your OpenSIPS server. Then click Submit and Reload Dialplan when prompted.

    type=peer
    host=xxx.xxx.xxx.xxx
    context=from-opensips
    insecure=port,invite
    disallow=all
    allow=ulaw
    deny=0.0.0.0/0.0.0.0
    permit=xxx.xxx.xxx.xxx/255.255.255.255
    

    Next, using SSH or Putty, login to your Asterisk server as root and issue these commands replacing xxx.xxx.xxx.xxx with the IP address of your OpenSIPS server (choose option 0 when prompted for access type):

    cd /root
    ./add-ip opensips xxx.xxx.xxx.xxx
    wget http://incrediblepbx.com/from-opensips.tar.gz
    tar zxvf from-opensips.tar.gz
    rm -f from-opensips.tar.gz
    nano -w from-opensips.txt
    

    When the editor opens, scroll down to line 16 and enter a very secure PIN (up to 10 digits) for access to the DISA-like service to make outbound calls via SIP URI. It’s your phone bill so make it long (up to 10 digits) and something that is not easily guessed. On line 20, we have configured DISA for numbers up to 11 digits. If your dialplan requires international dialing support, you can adjust 11 to the desired number of digits. Then save the file and copy the dialplan code into extensions_custom.conf and reload your dialplan:

    cd /etc/asterisk
    cat /root/from-opensips.txt >> extensions_custom.conf
    asterisk -rx "dialplan reload"
    

    IMPORTANT NOTE: Just because you have configured this DISA option on your Asterisk server does not mean it is available via SIP URI. In fact, no SIP URI access to your Asterisk server is enabled at this juncture. You still must set up the SIP URI connections on your OpenSIPS server. Whether to do that and which features to activate are completely up to you.

    2. Configuring OpenSIPS for Asterisk Connectivity

    Beginning with version 1.2.0 of the Incredible PBX installer for OpenSIPS, the server itself is preconfigured to support Asterisk connectivity using AVPs. Implementation only requires command line execution of an AVP script to enable each feature you wish to activate. A similar script can be used to deactivate any AVP feature previously activated. To install the scripts on your OpenSIPS server, log in as root using SSH or Putty and issue these commands:

    cd /root
    wget http://incrediblepbx.com/asterisk-features-for-opensips.tar.gz
    tar zxvf asterisk-features-for-opensips.tar.gz
    rm -f asterisk-features-for-opensips.tar.gz
    

    The function of each of the Asterisk scripts is self-explanatory from the script names:

    • asterisk-add-forward
    • asterisk-delete-forward
    • asterisk-list-forwards

    Three pieces of information are required to add a SIP URI forward from OpenSIPS to your Asterisk server using the AVP asterisk-add-forward script:

    • UUID of SIP URI (from any SIP phone, dial UUID@opensips.yourdomain.com to connect)
    • Asterisk Extension (destination where incoming OpenSIPS call should be forwarded)
    • Asterisk Public IP Address

    To add a SIP URI for extension 701 on your Asterisk server at xx.xx.xx.xx reachable at 701@opensips.yourdomain.com, the command would look like this where xx.xx.xx.xx is the public IP address of your Asterisk server and opensips.yourdomain.com is the FQDN of your OpenSIPS server: /root/asterisk-add-forward 701 701 xx.xx.xx.xx

    CAUTION: Other than for forwards like this, do NOT set up User accounts in the OpenSIPS Control Panel using the same numbers as existing extensions on your Asterisk server. Otherwise, if your SIP phone is registered to a 701 user account on your OpenSIPS server, you lose the ability to connect to any extension on your Asterisk server if a 701 account requiring registration also existed on the Asterisk platform.

    To use a name in the SIP URI or enable a second SIP URI for the same Asterisk 701 extension (jdoe@opensips.yourdomain.com): /root/asterisk-add-forward jdoe 701 xx.xx.xx.xx

    Simply repeat the steps above for every SIP URI you wish to enable for an Asterisk extension.

    To enable DISA-like access via SIP URI using dial as UUID (dial@opensips.yourdomain.com): /root/asterisk-add-forward dial *1 xx.xx.xx.xx

    Keep in mind that you need not use "dial" as the UUID. You can make up any name you like. So long *1 is the DISA extension, the UUID can be as obscure as desired e.g. disa5038now.

    For voicemail access via SIP URI, you can do it in two ways. For generic access triggering prompts for both the voice mailbox number and the mailbox PIN, use the following: /root/asterisk-add-forward vm *98 xx.xx.xx.xx

    For voicemail access to a specific mailbox (701) with only a prompt for the mail PIN, use: /root/asterisk-add-forward vm701 *98701 xx.xx.xx.xx

    For access to a specified conference (2663) with a prompt for the conference PIN, use: /root/asterisk-add-forward conf2663 2663 xx.xx.xx.xx

    For access to Weather Reports (947) with a prompt for the ZIP Code, use something like this: /root/asterisk-add-forward weather 947 xx.xx.xx.xx

    For News Headlines (951), use: /root/asterisk-add-forward news 951 xx.xx.xx.xx

    To delete any previously created UUID forward: /root/asterisk-delete-forward

    To list existing UUID forwards for SIP URIs: /root/asterisk-list-forwards

    Calling Tip: If your softphone is registered to an OpenSIPS User account, you can call any of the enabled forwarding entries by entering the UUID without @opensips.yourdomain.com, e.g. dialing vm would connect to the Asterisk voicemail system with a prompt for mailbox.

    3. Enabling Inbound Calls from Asterisk to a SIP Phone

    In today’s design, incoming calls to your Asterisk PBX can be forwarded to a user account on your OpenSIPS server or a free linphone.org user account by (1) creating a free User account in the OpenSIPS Control Panel or at linphone.org, (2) logging into that user account with a SIP phone or softphone, (3) creating a custom extension in the Incredible PBX GUI that points to the SIP URI of your user account on the OpenSIPS server or your free linphone.org SIP user account or a 3CX client, and (4) adding that custom extension to either a Ring Group that includes your Asterisk extension or enabling FindMe/FollowMe for your Asterisk extension and designating the custom extension as the No Answer Destination. Need support for multiple Asterisk users? Not a problem. Repeat the drill for each user.

    The procedure for adding a User Account in the OpenSIPS Control Panel was covered in last week’s article. The procedure for creating a free Linphone User Account was covered in an earlier article so we won’t repeat it here. Another obvious SIP URI destination is any 3CX Client if you’ve previously set up a free 3CX server following our 3CX tutorial. Refer back to those articles if you need a refresher.

    On the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension and Display Name, we recommend using the 7701 numbering scheme for remote accounts. Then click on the Advanced tab and enter the SIP URI of your OpenSIPS, Linphone, or 3CX User account as the Dial option, e.g. SIP/yourname@sip.linphone.org or SIP/7701@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

    To assure that incoming calls ring on both your Asterisk phone (701) and your registered SIP phone, we recommend setting up a Ring Group on the Asterisk side that includes both the 701 extension and the new 7701 custom extension. Then adjust your Inbound Routes to point to the number of this Ring Group instead of to 701. In this way, you can preserve the voicemail functionality associated with your 701 extension. FYI: None of these servers proxy audio and video of your calls. They provide a SIP registration service only.

    The other alternative to a Ring Group is to enable FindMe/FollowMe in the 701 extension settings and then specify Extension:701 as the No Answer Destination. With this approach, voicemail will never be triggered on calls sent to extension 701 on your PBX. Since OpenSIPS lacks voicemail, you would lose calls not answered on your registered SIP phone or softphone.

    TIP: We use 3CX clients exclusively for inbound calls on iPhones and Android devices because we have found they are far superior in dealing with both push notifications and NAT routing. 3CX clients actually ring when someone calls AND you can hear both sides of every call.

    4. Outbound PSTN Calling from OpenSIPS

    The DISA setup documented above allows your existing Trunks to continue to be managed and secured exclusively on your Asterisk server with no trunk exposure on the OpenSIPS platform at all. Thus, if either your public-facing OpenSIPS server or Linphone is ever compromised, nobody will be able to make any calls on your nickel because there will be no trunks available to process the outbound calls. Your DISA password is never exposed.

    For some (like us), a two-step outbound calling procedure is just too painful. In that case, with providers such as Skyetel, you can deploy a PSTN calling platform on both your Asterisk server and on OpenSIPS. We documented the Skyetel trunk setup for OpenSIPS in our tutorial last week. The good news is nothing precludes deployment of Skyetel at multiple sites even if you only use Skyetel on the OpenSIPS platform for outbound calling. And this completely avoids implementing a DISA solution which has security implications of its own. Effective 10/1/2023, $25/month minimum spend at Skyetel is required.

    Enabling direct PSTN calling with OpenSIPS means nobody can ever make PSTN calls merely by guessing a SIP URI. It requires an actual SIP registration to OpenSIPS, and you have Fail2Ban to assist with securing that process. So the outbound calling design is completely up to you. Direct PSTN calling from OpenSIPS is no less safe so long as none of your OpenSIPS User account passwords are compromised.

    5. Enabling Calls from Asterisk to OpenSIPS Users

    For OpenSIPS AVP forwards that have been enabled to Asterisk extensions, you probably will also want to provide a way for Asterisk users to return those calls directly to OpenSIPS users since that will be the CallerID that displays when an OpenSIPS user places a call directly to a forwarded Asterisk extension. Assuming a SIP phone has been registered to User account 7709, when that OpenSIPS user places a call to a forwarded Asterisk extension 701, it means the Asterisk user will see 7709 displayed as the CallerID for the incoming call even though the User of the OpenSIPS 7709 extension may also be associated with extension 709 on the Asterisk side. If the Asterisk callee attempts to return the call by dialing 7709 instead of 709, the call would fail. To avoid confusion by Asterisk users, the simple solution is to add an additional Custom SIP extension for every OpenSIPS User account.

    For example, on the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension, enter 7709. For the Display Name, enter the name of the person using that OpenSIPS user account. Next, click on the Advanced tab and enter the SIP URI for this OpenSIPS User account as the Dial option, e.g. SIP/7709@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

    FYI: Matching Custom Extension numbers on the Asterisk platform to identical extensions on your OpenSIPS server does not create the registration problems we cautioned against earlier. Only Asterisk extensions requiring actual SIP registration need to remain unique from accounts on your OpenSIPS platform.

    6. A Few Words About Security

    If you’ve been using Incredible PBX with its Travelin’ Man 3 firewall, it’s not unlike living in a gated community where most of the outside world doesn’t even know you exist. Adding a "second home" with OpenSIPS is not unlike buying a summer place next door to Fred Sanford in Watts. You might as well have set up shop in the middle of Russia because, for all intents and purposes, you have. Anybody in the world can guess your IP address and spend the day trying to break into your server. So the name of the game is vigilance. Especially for the first few weeks, you need to run iptables -nL regularly and see how quickly your Fail2Ban blacklist is filling up. If you heeded our advice and set up your OpenSIPS server on a KVM platform (instead of OpenVZ), we’ve got a handy little script that will let you move bad guys snagged by Fail2Ban to the permanent IPset blacklist. Just download the script and run it daily to move the Fail2Ban entries to permanent block status in the IPset blacklist:

    cd /root
    wget http://incrediblepbx.com/move-fail2bans-to-ipset.tar.gz
    tar zxvf move-fail2bans-to-ipset.tar.gz
    rm -f move-fail2bans-to-ipset.tar.gz
    ./move-fail2bans-to-ipset
    

    Once you have verified that the IP addresses actually are being populated in the IPset blacklist table (ipset list | sort), you can add the script to /etc/crontab to run automatically each night:

    echo "2 4 * * * root /root/move-fail2bans-to-ipset > /dev/null 2>&1" >> /etc/crontab
    

    If you’d like a head start on your IPset blacklist, simply download our latest list and then reboot your server:

    cd /etc
    wget http://incrediblepbx.com/badguys.tar.gz
    tar zxvf badguys.tar.gz
    rm -f badguys.tar.gz 
    

    Another potential vulnerability is SSH. This command will tell you who has attempted to login to your server as root: cat /var/log/auth.log | grep password. If you ever see a failed login and it wasn’t a mistake on your part, change your SSH access port immediately if not sooner: nano -w /etc/ssh/sshd_config. Then restart SSH: /etc/init.d/ssh restart. Better yet, set up SSH public key authentication.

    The other major consideration is the number of holes you punch into the security of your Asterisk server using the OpenSIPS asterisk-add-forward script. Every time you add an extension to this list, you open another (read-only) window into your Asterisk communications world. And anybody can connect to these extensions using either the FQDN of your OpenSIPS server or its IP address. Even though we don’t practice what we preach, we strongly recommend using alphanumeric UUIDs instead of numbers for these access points. That at least avoids random calls from bad guys that are accustomed to numeric numbers only in SIP URIs. Regularly review your OpenSIPS log for unusual strings of forwarded calls and adjust your forwarding UUIDs accordingly: cat /var/log/opensips.log | grep forwarded.

    In our previous article, we’ve already addressed how important it is to limit User accounts to your FQDN and never the IP address of your OpenSIPS server. In this way, you limit OpenSIPS registration exposure to your FQDN and never the IP address of your server. Fail2Ban also assists here by blocking failed login attempts after a single failure unless you have whitelisted the IP address in Fail2ban’s ignoreip list in /etc/fail2ban/jail.conf and restarted Fail2Ban with this command: /etc/init.d/fail2ban restart. These are the only entry points that offer the ability to actually register to your server. AVPs never do. Obviously, a successful SIP registration is much more dangerous than a random phone call on a SIP URI set up using AVP extension forwarding.

    Finally, passwords now matter on your Asterisk PBX for any port forward you’ve established with OpenSIPS. For example, if you’ve set up a generic forward to access voicemail, then it means anybody guessing the SIP URI you created can spend the day (at no cost) attempting to break into ANY voicemail account on your Asterisk server by guessing the PIN. Fail2Ban will not protect you here. If you’ve set up DISA-like access to your Asterisk server on OpenSIPS, then the same applies except now the attacker gets a blank check to make commercial calls if they can guess your access PIN. Worried yet? We hope so. Sure beats a $100,000 phone bill.

    7. Taking OpenSIPS for a Test Drive

    We usually provide a Demo Line for readers to try out our latest creations. For obvious reasons, we prefer not to disclose our OpenSIPS FQDN to the general public. But we have set up a port forward from a DID that we temporarily configured on our OpenSIPS server. So, if you’d like to sample the voice quality of placing a call to a DID in Atlanta forwarded to an OpenSIPS server in New York forwarded to an Asterisk server in Miami and then back to you, try calling 843-606-0555 for a weather report in your favorite ZIP code. We’re betting you will be dumbfounded by the quality of the call. Enjoy!

    Originally published: Monday, May 20, 2019



    Need help with Asterisk? Visit the VoIP-info Forum.


     

    Special Thanks to Our Generous Sponsors


    FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

    BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

    The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

    VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
     

    Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
     



    The 5-Minute Wonder: OpenSIPS Server Takes the Cake


    We covered Kamailio in our Part I article. And we’ve skipped writing about SIP server contestants two, three, and four because they each had a healthy dose of insurmountable problems… at least for us. So today we’re pleased to present Part V in our SIP server series. And, as the headline exclaims, with OpenSIPS we’ve found a platform that finally is worthy of your attention. Our requirements were fairly straightforward. We wanted an open source SIP server to which we could connect users to make and receive free as well as commercial calls worldwide. We also wanted a SIP server with good documentation that was simple to install and to integrate into our existing Asterisk platforms without hiring a consultant. And finally we were searching for a SIP server that could be secured easily without providing free phone service to every bad guy on the planet. OpenSIPS has it all.

    OpenSIPS is a multi-functional, multi-purpose signaling SIP server used by carriers, telecoms or ITSPs for solutions like Class4/5 Residential Platforms, Trunking / Wholesale, Enterprise / Virtual PBX Solutions, Session Border Controllers, Application Servers, Front-End Load Balancers, IMS Platforms, Call Centers, and many others. Source: opensips.org

    We’ve often complained that the problem with many open source projects is that the developers get so focused on making money that they skimp on the documentation to encourage consulting work or participation in expensive conferences. We have found just the opposite with OpenSIPS. In fact, much of today’s implementation is based upon an excellent tutorial by the folks at PowerPBX. Down the road, if you find yourself in need of a consultant, their services would be a good place to start. What we’ve added to the PowerPBX design is security, support for clients behind NAT-based routers, and an integration scheme for Asterisk®, FreePBX®, and Incredible PBX® platforms so that you get the best of both worlds, a public facing SIP server with the UC feature set that most organizations expect. Last but not least, our turnkey GPL installer will get you up and running in about 5 minutes.

    Choosing a KVM/OVZ7 Platform for OpenSIPS

    Let’s begin by addressing the appropriate platform for an OpenSIPS server. The server needs to have a public IP address that is static, and the server should not be situated behind a NAT-based router. It only complicates things and is beyond the scope of what we plan to address. For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM or OVZ7 cloud platform is a must since older OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. While we previously have identified older OpenVZ providers for our Incredible PBX platforms protected by the Travelin’ Man 3 firewall, pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS.

    Ten to twenty gigabytes of disk space should be more than ample for OpenSIPS. The amount of RAM in your server depends upon the volume of calls your server will be handling. If it’s a dozen simultaneous calls then 1GB of RAM will suffice. If it’s 100,000 calls, then take a look at this article for tips on sizing your server. For today’s implementation, we’ll be using Debian 8 so any low-cost provider or KVMs at Digital Ocean, Vultr, and OVH should be fine.1

    We recently went on the hunt to identify KVM or OVZ7 cloud providers around the world that could offer a KVM VPS with 1GB RAM, 20GB storage, and 1TB of monthly bandwidth for about $25 a year. No small feat! But our friends at LowEndTalk have come through. Read the message thread and find an offer with a site that best meets your requirements. Many of the KVM offers require you to open a ticket to get the special pricing and configuration outlined above. Here’s a short list of our favorites, but remember to only use the KVM or OVZ7 offerings below for OpenSIPS!

    ProviderRAMDiskBandwidthPerformance as of 12/1/19Cost
    CrownCloud KVM (LA)1GB20GB +
    Snapshot
    1TB/month598Mb/DN 281Mb/UP
    2CPU Core
    $25/year
    Best Buy!
    Naranjatech KVM (The Netherlands)1GB20GB1TB/monthHosting since 2005
    VAT: EU res.
    20€/year w/code:
    SBF2019
    BudgetNode KVM (LA)1GB40GB RAID101TB/monthAlso available in U.K PM @Ishaq on LET before payment$24/year
    FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)1GB20GB SSD3TB/monthPick EGG loc'n
    Open ticket for last 5GB SSD
    $30/year w/code:
    LEBEGG30

    Choosing OpenSIPS Components to Deploy

    We’ve divided up today’s tutorial into bite-sized pieces so that you can pick and choose where to stop implementing and start using. You do not need to have an Asterisk server to make and receive calls with OpenSIPS. However, OpenSIPS lacks voicemail and AutoAttendant/IVR components so, if those are a requirement, then you either need a VoIP service provider that offers them, or deploy a $50 Incredible PBX for the Raspberry Pi to add the missing pieces.

    What OpenSIPS offers is a free server platform for worldwide SIP communications so that you, your friends, and business associates can call or connect from anywhere using freely available SIP softphones or any of dozens of SIP telephone instruments. We’ll stick with softphones for today, but hardware-based SIP telephones are equally simple to deploy.

    This is not a criticism because it is one of the best tutorials we’ve ever used but, if you want to see how complex a typical OpenSIPS server deployment is, take a look at the PowerPBX tutorial we used as a starting point with OpenSIPS. We’ve compressed most of those procedures into a turnkey installer that only requires you to enter a MySQL root password of passw0rd (with a zero) once you have your Debian 8/64 platform up and running.

    Deploying a Debian 8 Server Platform

    Start by choosing a cloud provider that offers the 64-bit Debian 8 minimal platform as a deployment option. Most do. As noted, we recommend a KVM or OVZ7 platform, but older OpenVZ platforms perform equally well minus support for ipset which makes it easy to block entire countries overrun with bad guys. Choose offerings with at least 1GB RAM and a 10GB drive to get started. Configure your Debian 8 server with a fully-qualified domain name (FQDN). This is critically important with our security design because we will assign all OpenSIPS users/extensions to this FQDN and reserve your server’s IP address purely for connections from service providers and Asterisk servers. This makes it all but impossible for anyone to hack into your server since most script kiddies launch attacks on IP addresses, not FQDNs. Using an unusual FQDN adds an extra layer of security, but that’s your call. If you lack the ability to assign FQDN aliases to a domain which you own, you can obtain a free FQDN from numerous sources including ChangeIP and point it to the IP address of your OpenSIPS server.

    Installing OpenSIPS on a Debian 8 Server

    Now the fun begins. Log into your Debian 8 server as root and issue the following commands to prepare for the OpenSIPS install:

    cd /root
    wget http://incrediblepbx.com/opensips.tar.gz
    tar zxvf opensips.tar.gz
    rm -f opensips.tar.gz
    

    After untarring opensips.tar.gz above, there’s one extra step for those using KVM or OVZ7 platforms. Do NOT make this change if you’re on an older OpenVZ-based server (not recommended!) that shares its kernel with the host machine. Otherwise, the firewall startup will always fail. For KVM and OVZ7 platforms only, issue the following command: cp -p /root/kvm/* /root

    Make sure you have logged into your Debian 8 server as root using SSH or Putty from a desktop PC that you will use to manage OpenSIPS with a browser. The reason is because this IP address automatically will be whitelisted in the OpenSIPS firewall as part of the install process. Otherwise, you will need to manually log into SSH and whitelist the IP address of your desktop PC using /root/add-ip each time you wish to access the OpenSIPS Control Panel since TCP port 80 (HTTP) is not exposed to the public Internet as a security precaution.




     

    To begin the install, issue this command: /root/install

    As the install progresses, you’ll be prompted several times to assign and then to use the MySQL root password. Please use passw0rd (with a zero) as your MySQL password, or the install will fail. This is NOT a security risk unless your Debian 8 root user account is compromised. And, in that case, it won’t matter anyway since the MySQL password could easily be changed. The rest of the install is self-explanatory. There are a couple of steps where you will be prompted for input. Correct responses are indicated before the various prompts. Pay particular attention when you are prompted to change the SSH port from TCP 22 to a port number in the 1000-2020 range as a security precaution. We recommend using the year you were born because it will be easy for you to remember. When the install finishes and you log out of your server, the next SSH login will look like this where XXXX is the SSH port you chose and yyy.yyy.yyy.yyy is the OpenSIPS server address: ssh -p XXXX root@yyy.yyy.yyy.yyy


    Although most of the configuration of your OpenSIPS server will be handled using a web browser and the OpenSIPS Control Panel GUI, we’ve included a few scripts in /root to assist with maintenance of your server platform. Here’s a brief summary of the script functions:

    • pbxstatus – Status of your OpenSIPS server (image sample above)
    • add-ip – Temporarily WhiteList IP address until next iptables-restart
    • ban-ip – Permanently Ban an IP address
    • unban-ip – Unban a previously banned IP address
    • log-purge – Zero out all of the major Linux log files
    • opensips-check – Assures OpenSIPS and RTPproxy are running (runs automatically)
    • Fail2Ban BlackListsiptables -nL | grep -A100000 "opensips ("
    • IPset BlackList (KVM/OVZ7 platforms only) – ipset list | sort

    We secure your server in several ways: (1) by disguising the SSH port, (2) by locking down almost every port on your server with the IPtables firewall with the exception of the SIP ports, (3) by deploying Fail2Ban to scan your OpenSIPS log for errors and lock out attackers for an extended period of time, and (4) by deploying the IPset blacklist on KVM/OVZ7 platforms. With this design, there is a symbiotic relationship between IPtables, Fail2Ban, and IPset. Therefore, it is critically important that you only restart these services using the iptables-restart command. NEVER issue other IPtables commands to restart or save your firewall settings.

    Activating a SIP Server with OpenSIPS Control Panel

    We don’t want to overload you on the first day with your new OpenSIPS platform so we’ll walk you through the preliminary setup steps to create your SIP Domain. Then we’ll show you how to set up user accounts (also known as extensions). Finally we’ll walk you through setting up a trunk to make and receive calls from a commercial SIP provider. When we’re finished today, you’ll be able to make and receive calls using SIP URIs or DIDs which you have purchased from a provider. Then next week we’ll focus on integration of OpenSIPS with an Asterisk platform of your choice using Incredible PBX and FreePBX as an example. Once we’re finished, you’ll be able to handle user account registrations exclusively on your OpenSIPS server while leaving your Asterisk platform completely hidden from public exposure.

    Logging into the OpenSIPS Control Panel

    As deployed, the OpenSIPS Control Panel is accessible via web browser. As noted previously, HTTP Port 80 access is blocked by default unless the IP address of your desktop PC has been whitelisted either as part of the initial install or using the add-ip script in /root. Once your desktop PC’s IP address is whitelisted, point your browser to http://xxx.xxx.xxx.xxx/cp



    The default Username is admin, and the default password is opensips. Once you’re logged in, immediately click on the Users icon in the upper-right corner of the dashboard. Then click the Edit Info pencil icon for user Admin and change your password. Click Save when done.

    Creating Domains with OpenSIPS Control Panel

    In the Left column of the Dashboard, you’ll see two tabs: Users and System. Click on the System tab to expose the available choices. Then choose the Domains option.



    Domains are the essential building blocks in OpenSIPS. You can manage one or a hundred domains on a single OpenSIPS server, and each domain can have its own set of Users, Trunks/Gateways, and Dialplan rules. We’re actually going to create two domains, one for the IP Address of your OpenSIPS server and a second one for the FQDN of your OpenSIPS server. For added security, we will create all User accounts under the FQDN Domain. And we’ll reserve the IP Address Domain for DID Trunks/Gateways from registered, commercial SIP providers. This design allows attackers to attempt to register to accounts on your IP Address Domain until the cows come home, and they will never be successful because there are no existing SIP user accounts there. Keep it that way! With our OpenSIPS design, Fail2Ban will block attackers after a single failed registration attempt. And OpenSIPS itself will identify and block all SIP flood attacks using either Fail2Ban or IPset (on KVM and OVZ7 platforms only).

    Now that you understand the design, let’s set up your domains. After choosing System -> Domains, enter the IP Address of your OpenSIPS server at the SIP Domain prompt. Then click Add New Domain followed by Reload on Server. Repeat the same steps to enter the fully-qualified domain name (FQDN) of your OpenSIPS server. When finished, you should see:


    Creating Users with OpenSIPS Control Panel

    We’ve already explained the security implications and reason for creating User accounts with your FQDN Domain only. Click on Users -> User Management -> Add New to get started. You can use Numbers (what we call Extensions in Asterisk) or Names. Our preference is to use Numbers for the User accounts and then to create Alias Names (as desired) for each User account. You can’t dial names from most SIP telephones. This also keeps the design similar to what many are used to coming from the Asterisk environment. A completed dialog would look something like the following. Use the Domain pull-down to choose your FQDN. Obviously, the passwords must be secure and must match. Then the Register button will be enabled to save. The actual Numbers used for Usernames are completely up to you.



    Create at least a couple User accounts so that you can set up two SIP phones to call yourself and verify that everything is working. These User accounts become an integral part of the SIP URI to receive calls from any SIP phone in the world: 7701@opensips.yourdomain.com

    Before you can actually answer an incoming call to your SIP URI, you’ll need to register the User account using either a softphone or SIP phone. We’ll do that next. But, first, let’s create an Alias to 7701 User so that folks can reach you by calling joe@opensips.yourdomain.com

    Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the example below. Make sure that you select your FQDN Domain using the pull-downs for BOTH the Domain and Alias Domain fields. Then click Add to save.


    Registering a Softphone to an OpenSIPS User Account

    There are literally dozens of free SIP soft phones from which to choose. We covered some of our favorites for every platform in previous articles. For our purposes today, we recommend you choose one of the Linphone softphones which are available for the PC, Mac, Linux, Android, and iOS platforms. We also recommend signing up for a free Linphone.org SIP account which doesn’t cost you anything. For today, we will be configuring the softphone to register to your new OpenSIPS server.

    Once you have downloaded and installed the Linphone client, go into the Preferences menu and make the following changes. Some depend upon your calling platform.

    • Audio Codecs: PCMU, G722, PCMA
    • Video Codecs: VP8, H264
    • Call Encryption: None
    • DTMF: RFC2833 only
    • Send InBand DTMF: OFF
    • Send SIP INFO DTMF: OFF
    • SIP UDP 5060: Enabled
    • SIP TCP 5060: Enabled
    • Allow IPv6: Disabled

    Then set up a new SIP Proxy account: Username (7701), Password (as defined), Domain: your FQDN not IP address, Transport: UDP, Outbound Proxy: OFF, Stun Server: stun.linphone.org, ICE: ON, AVPF: OFF, Push Notification: ON, Country Code Prefix: 1 (if required by your commercial SIP provider), Register: YES, Account Enabled: YES. HINT: You can call Alias Names via SIP URI, but you can only register to a SIP account using its actual Username.

    Avoiding Lockouts with NeoRouter VPN

    By design, Fail2Ban is unforgiving when it comes to failed registrations. A single failed registration will get an IP address banned for a full week. The reason is because the new bad guy strategy is to hit your server once to determine whether anybody is home. Then the creep bombards you later with an endless stream of registration attempts. With our design, nobody will be home when they return. The bad news is a single failed registration attempt by you or your users will also trigger a ban. There are several workarounds. The easiest is to set up the NeoRouter client on each of your machines including your OpenSIPS server and use the 10.0.0.x private network for access. These IP addresses never get banned. Our previous tutorial will walk you through setting up a free NeoRouter server and installing the free NeoRouter clients on your machines. The client software already is installed and running on your OpenSIPS server. It only requires that you log in using nrclientcmd and register to your NeoRouter server to obtain a private IP address.

    There are other options to unban an IP address which has accidentally been snagged. First, almost all of the cloud providers include a Console option in their web portals. Second, you can log into your server via SSH from any non-blacklisted IP address to remove the banned IP address. Once you’re logged in, simply run this command using the IP address you wish to unban: /root/unban-ip xxx.xxx.xxx.xxx

    Choosing Commercial SIP Providers

    Recall that you cannot register to a SIP alias on your OpenSIPS server. We’ll take advantage of this restriction in setting up incoming calls from commercial providers’ DIDs. To set up Trunks from commercial providers so that you can not only receive incoming calls but also make outbound calls over their PSTN network connections, you must use providers that support IP address authentication rather than a SIP registration. Many providers support this including our platinum sponsor, Skyetel, as well as providers such as VoIP.ms, Anveo Direct, V1VoIP, and many others. In our OpenSIPS design, you also can use DIDs from providers that support SIP URI forwarding such as CallCentric and LocalPhone; however, you are limited to receiving inbound calls only. VoIP communications really shines here because you don’t have to choose a single provider to meet all of your communications requirements.

    Skyetel is by far the easiest provider to set up with OpenSIPS. See our earlier tutorial for a special offer that will get you half-price calling for up to $500. Effective 10/1/2023, $25/month minimum spend required. Once you’re registered on the Skyetel site, add a new EndPoint Group using the IP address of your OpenSIP server and designate UDP 5060 as the access port. Sign up for a DID and map it to the OpenSIPS Endpoint Group. Done. In the OpenSIPS Control Panel, navigate to System -> Dynamic Routing and click Add Gateway. Using the template below, create 5 Proxy gateways for the following Skyetel data centers:

    • skyetel-NW 52.41.52.34
    • skyetel-SW 52.8.201.128
    • skyetel-NE 52.60.138.31
    • skyetel-SE 50.17.48.216
    • skyetel-EU 35.156.192.164

    The latest installer will automatically whitelist the Skyetel IP addresses in /etc/iptables/rules.v4 just below the existing 10.8.0.0/24 rule. This will protect you in the event that one or more of the Skyetel IP addresses gets blacklisted inadvertently. You should also add the IP addresses of any other providers you need and then issue the command: iptables-restart

    Next, we need to create what Asterisk users know as an Outbound Route. This tells OpenSIPS to send dialed numbers in 11-digit format to Skyetel for termination. We’ve already created the Dial Plan rule for calling out by dialing 1 plus a 10-digit number. So, while you’re still in the Dynamic Routing section of the OpenSIPS Control Panel, click on the Rules tab at the top of the template. Then click Add Rule. Begin by clicking Add ID button and choosing Group ID 0. In the Prefix field, type 1. Now click the Add GW button 3 times after choosing the Skyetel gateways in the following order from the GW pull-down list: skyetel-nw, skyetel-sw, and skyetel-se. Those are the three currently operational Skyetel gateways. When you’re finished, your template should look like the following. Then click the Add button to save the new rule. Click Reload Server to load the new rule into OpenSIPS. Then repeat this procedure leaving the Prefix field blank so that you can make 10-digit calls as well.

    Finally, we need to create what Asterisk users know as an Inbound Route. This tells OpenSIPS where to send incoming calls from our Skyetel DID. OpenSIPS handles inbound routes by defining a User Alias for the Username to which you want to route the incoming DID calls. Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the following template and then click Add.

    • Username: 7701 (the extension to which to route the incoming calls)
    • Domain: opensips.xyz.com (the FQDN of your OpenSIPS server)
    • Alias Username: 18435551212 (the 11-digit Skyetel DID)
    • Alias Domain: 11.12.13.14 (the IP address of your OpenSIPS server)
    • Alias Type: dbaliases

    Introducing the VoIP Blacklist

    We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. We’ve made this easy in two ways. First, the list gets populated every night while you sleep. At last count, there were 84,504 IP addresses. And, second, to contribute to the blacklist, run iptables -nL weekly to see if Fail2Ban has snagged any bad guys. If so, simply run the new /root/blacklist utility which will move them into your local blacklist and also format the entries for easy submission to voip.bl whenever you feel the urge. Simply issue the command cat /root/blcklist.txt to display the entries you just blacklisted. Then cut-and-paste the results and post them to the VoIP Blacklist. The whole process takes less than a minute, and you’ll be contributing to a very valuable VoIP resource while also using it.

    Congratulations! You now have a functioning OpenSIPS server that can process incoming calls from SIP URIs as well as DIDs. And you can make SIP URI and 11-digit PSTN calls using your SIP softphone that’s registered to your OpenSIPS server. See you next week. Enjoy!

    Continue Reading: Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS

    Originally published: Monday, May 13, 2019  Updated: Monday, June 24, 2019



    Need help with Asterisk? Visit the VoIP-info Forum.


     

    Special Thanks to Our Generous Sponsors


    FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

    BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

    The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

    VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
     

    Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
     



    1. Nerd Vittles receives referral fees from some VoIP service providers to help cover the costs of our blog. We never recommend particular companies solely to generate commissions. We also test all services that we recommend. []